CVE-2023-53481

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed<br /> <br /> Following process will trigger an infinite loop in ubi_wl_put_peb():<br /> <br /> ubifs_bgt ubi_bgt<br /> ubifs_leb_unmap<br /> ubi_leb_unmap<br /> ubi_eba_unmap_leb<br /> ubi_wl_put_peb wear_leveling_worker<br /> e1 = rb_entry(rb_first(&amp;ubi-&gt;used)<br /> e2 = get_peb_for_wl(ubi)<br /> ubi_io_read_vid_hdr // return err (flash fault)<br /> out_error:<br /> ubi-&gt;move_from = ubi-&gt;move_to = NULL<br /> wl_entry_destroy(ubi, e1)<br /> ubi-&gt;lookuptbl[e-&gt;pnum] = NULL<br /> retry:<br /> e = ubi-&gt;lookuptbl[pnum]; // return NULL<br /> if (e == ubi-&gt;move_from) { // NULL == NULL gets true<br /> goto retry; // infinite loop !!!<br /> <br /> $ top<br /> PID USER PR NI VIRT RES SHR S %CPU %MEM COMMAND<br /> 7676 root 20 0 0 0 0 R 100.0 0.0 ubifs_bgt0_0<br /> <br /> Fix it by:<br /> 1) Letting ubi_wl_put_peb() returns directly if wearl leveling entry has<br /> been removed from &amp;#39;ubi-&gt;lookuptbl&amp;#39;.<br /> 2) Using &amp;#39;ubi-&gt;wl_lock&amp;#39; protecting wl entry deletion to preventing an<br /> use-after-free problem for wl entry in ubi_wl_put_peb().<br /> <br /> Fetch a reproducer in [Link].